What Are State Privacy Laws?
State privacy laws are a patchwork of comprehensive data protection statutes enacted by individual US states. California (CCPA/CPRA) was first; Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and many others have followed. Each law has unique thresholds, consumer rights, and enforcement mechanisms.
For companies operating across multiple states, compliance requires understanding the overlapping and divergent requirements of each applicable law — and building a harmonized program that satisfies all of them without duplicating effort.
Key Cross-State Areas
While each state law is unique, they generally address the same core areas with varying specifics:
- Consumer Rights — right to know, delete, correct, and opt-out of sale/sharing — varies by state in scope and exceptions
- Processing Thresholds — revenue, consumer count, and data percentage thresholds that determine applicability — varies by state
- Opt-Out Mechanisms — Global Privacy Control, universal opt-out signals, and sale/sharing opt-out requirements — varies by state
- Privacy Impact Assessments — required for high-risk processing activities in many states, with varying scope and triggers
- Data Broker Registration — separate registration requirements in some states for companies that qualify as data brokers
- Enforcement — AG enforcement is universal, but private right of action and cure periods vary significantly by state
State-by-State Comparison
This table highlights key differences across major state privacy laws. Each state has unique thresholds, rights, and enforcement approaches.
| State | Law | Effective | Key Threshold | Private Right of Action | Cure Period |
|---|---|---|---|---|---|
| California | CCPA/CPRA | 2020/2023 | $25M revenue or 100K consumers | Yes (data breaches) | 30 days (AG discretion) |
| Virginia | VCDPA | 2023 | 100K consumers or 25K + 50% revenue | No | 30 days |
| Colorado | CPA | 2023 | 100K consumers or 25K + revenue from sale | No | 60 days (sunsets 2025) |
| Connecticut | CTDPA | 2023 | 100K consumers or 25K + 25% revenue | No | 60 days (sunsets 2025) |
| Utah | UCPA | 2023 | $25M revenue + 100K consumers or 25K + 50% revenue | No | 30 days |
| Texas | TDPSA | 2024 | No revenue threshold; conducts business in TX | No | 30 days |
| Oregon | OCPA | 2024 | 100K consumers or 25K + 25% revenue | No | 30 days (sunsets 2026) |
Readiness Assessment Checklist
Before building or updating your multi-state privacy program, evaluate where your organization stands against these readiness questions:
- Has a multi-state applicability analysis been completed to identify which laws apply?
- Is there a harmonized privacy notice that addresses requirements across all applicable states?
- Has a universal opt-out mechanism (including GPC support) been implemented?
- Are cross-state consumer rights response procedures documented and operational?
- Is there a privacy impact assessment methodology that satisfies multi-state requirements?
- Has a data broker registration assessment been completed for applicable states?
If you can’t confidently answer “yes” to most of these, a readiness sprint will get you there.
Next step: See our control domain breakdown to understand what privacy regulators expect across all control areas, with evidence examples for each.